hxxps://188.165.198.52 URL:Mal

I have constant Avast alerts blocking hxxps://188.165.198.52. I need help removing this infection, because nothing seems to work. I believe it’s hiding in explorer.exe and using up all my pc’s memory.

Hello,

  1. Please download ComboFix by sUBs (
    http://www.mcshield.net/personal/magna86/Images/IconComboFix.png
    ) from here and save it to your Desktop.
    [i]If you are unsure how ComboFix works, read this guide.

  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:
• Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.


  1. Run ComboFix. Then, on disclaimer window, click I Agree! button.

[i][size=7pt]- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
  • If malware is detected, ComboFix will begin with its removal, and may need to restart Windows.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]

  1. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt)
    => Attach log report (ComboFix.txt) back to topic.

ComboFix shall also create addition log (typical location: C:\Qoobox\ComboFix-quarantined-files.txt)
=> Please attach that report (ComboFix-quarantined-files.txt) as well.

Hey, here are the logs.

Please download Zoek tool by Smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here and save it to your Desktop.
Unpack the archive…

[*]Close any open browsers and temporarily disable your AntiVirus program. (if it is necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool. Please wait while the tool does not start…
[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

c:\windows\jre;vs
c:\programdata\{9A88E103-A20A-4EA5-8636-C73B709A5BF8};vs
c:\windows\PAExec.exe;i
EmptyCLSID;
c:\windows\ACF5FE1B377240688B872D2A6EFD0A05.TMP;f
AutoClean;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

Then reset all browser settings back to there defaults;

Chrome:
https://support.google.com/chrome/answer/3296214?hl=en

Firefox:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-most-problems

Then tell me how is the computer behavior now?

The alert pop-ups became less frequent after my first post. After, I installed combofix the name of the infection changed. I started to receive two different alert pop-ups and one of them was from sindelclick.com. These pop-ups appeared several times a day. I’m not really sure if anything has changed, but so far I’m not getting any pop-ups.

Re-run zoekscript as you did before …

[*]Close any open browsers and temporarily disable your AntiVirus program. (if it is necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool. Please wait while the tool does not start…
[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

jfmjfhklogoienhpfnppmbcbjfjnkonk;chr
aohghmighlieiainnegkcijnfilokake;chr
C:\Users\Reuben\AppData\Roaming\StatusWinks;fs
autoclean;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

.

Re-run FRST …

[*]Double-click to run it, make sure that Addition.txt options are checked, press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The tool should create another log (Addition.txt). Please attach it to your reply.

Okay, what’s next?

Tell me will this fix your problem?

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Hosts:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2223991042-2710331891-739761934-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
Task: {32D84965-5090-4BD6-A240-E0515A438A54} - System32\Tasks\0 => Iexplore.exe  <==== ATTENTION
CloseProcesses:
S2 0137421414578135mcinstcleanup; C:\Users\Reuben\AppData\Local\Temp\013742~1.EXE -cleanup -nolog [X]
EmptyTemp:
C:\Users\Reuben\jagex_cl_runescape_LIVE.dat
C:\Users\Reuben\jagex_cl_runescape_LIVE1.dat
C:\Users\Reuben\random.dat

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

I don’t think this fixed my problem. After I restarted my pc, I received alert pop-ups.

Ok-et,

Post me fresh FRST.txt logreport and confirm once again please the computer behavior so I can give you green light for go.

I’m wondering if I will ever get rid of this infection. It’s very stubborn. :frowning:

I think this script for FixList should fix your problem;

CloseProcesses:
File: C:\Windows\SysWOW64\GameMon.des
FF Extension: DownloadTerms - C:\Program Files (x86)\Mozilla Firefox\extensions\cxfnl@nxazbwxrbgsgfqqp.net [2013-06-16]
C:\Program Files (x86)\Mozilla Firefox\extensions\cxfnl@nxazbwxrbgsgfqqp.net
EmptyTemp:

As you did before, create FixList.txt with this code posted above and run it via FRST tool by clicking on Fix button. Post me the fresh created FixLog.txt.

Then, re-run zoek tool as you did before, click on More Options and check boxes only for Do a QuickScan and AutoClean. Press RunScan button and post me the fresh created zoek-report.txt logreprot (after the reboot) and tell me how is the things now?

I launched that zoek tool and I didn’t find a Runscan button.

Sorry my bad. I meant RunScript button. :slight_smile:

I’m still getting the occasional alert pop-ups with different kinds of names. I’m bothered mostly by the explorer.exe. Sometimes it will
use 100% of my cpu and go over 4,000,000 KB. Do you think this could be caused by the infection or could it be
a memory leak?

Attach a screenshot… (As it may help Magna find your issue)

100% usage of your CPU by explorer and 4GB of RAM isn’t normal, and wouldn’t be a memory leak.

Seriously? This will be difficult to do, because it doesn’t happen that often. Maybe like once every several days. Usually, explorer.exe
goes over 1GB and then resets itself. This may take awhile. I did catch it at 2GB. Does that count as normal?

Hi,

This does not necessarily mean that it is related malware. First reset Firefox and Chrome browsers back to there defaults settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-most-problems
https://support.google.com/chrome/answer/3296214?hl=en

Has alearts quieted now? Next, I would like to preform an ARK check with mighty GMER.

Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click Scan button and wait until the full scan is complete;
[*]Click Save … - save the report to the Desktop (named Gmer1 );

[*]Right-click wherever in the GMER’s window and select Options > 3rd party - click the Scan button;
[*]Please wait until the full scan is complete;
[*]Click Save … button and save report to Desktop (named Gmer2 );
note: time scan for Gmer2 log may take some time

[*]Click the >>> and select Autostart card;
[*]After quick scan, click Copy button;
[*]Open notepad and Paste text. Save report to the Desktop (named Gmer3 )

Attach here all Gmer logreports. (Gmer1; Gmer2 and Gmer3)

I don’t have firefox and chrome anymore. I use IE as my browser. I can’t attach Gmer2.log, because of the size limit, it’s 5MB.
Maybe, I did something wrong?

Se if you have this file and delete it.
C:\Program Files (x86)\Mozilla Firefox\extensions[b]cxfnl@nxazbwxrbgsgfqqp.net[/b]

GMER does show possible suspicious activity but again, this may not be malware itself. Post me the both fresh FRST logs (FRST and Addition logreprots).

Also, let’s preform one more ARK scan. Download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.

[*]Under Additional options check the boxes next to:
- Verify Driver Digital Signature;
- Detect TDLFS file system
- Use KSN to scan objects
[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.